<!DOCTYPE html>
<head>
<body>
  <script>
    if (window.testRunner)
      testRunner.dumpAsText();

    console.log("Clicking a link, pre-policy:");
    var clicked = 0;
    var a = document.createElement('a')
    a.setAttribute('onclick', 'console.log(clicked++ ? \'FAIL: Event handler triggered post-policy.\' : \'PASS: Event handler triggered pre-policy.\')');
    a.click();

    console.log("Injecting Content-Security-Policy.");
    var m = document.createElement('meta');
    m.setAttribute('content', 'default-src \'self\'');
    m.setAttribute('http-equiv', 'Content-Security-Policy');
    document.head.appendChild(m);
    console.log("Clicking a link, post-policy:");
    a.click();
  </script>
  <p>This test checks that CSP is evaluated on each call to an inline event handler, even if it's been executed pre-policy. It passes if one 'PASS' and no 'FAIL' messages appear.</p>
</body>
</html>
